This action might not be possible to undo. Are you sure you want to continue?
ID#: Title: 2481 Control System Security Assessments Track: Industrial Security
Marty Edwards Idaho National Laboratory Todd Stauffer Siemens
Cyber Security Series at the Summit 2488 – Catch me if you can
Real Life Examples of Security Professionals Breaking into Industrial Control Rooms and Corporate Offices
Jonathan Pollet (Industrial Defender) 2481 – Control System Security Assessments You are here ! 6– Cyber Security Panel Session 4:15pm – 5:30pm Room 327
Control System Security Assessments
2008 Siemens Automation Summit
Program Sponsor: Control Systems Security Program National Cyber Security Division U.S. Department of Homeland Security
Presenter Marty Edwards 17+ yrs of experience working with control systems from the perspectives of a vendor and an end user Marty.Edwards@inl.gov (208) 526-9372 4 .
Session Overview Introduction Vulnerabilities and Threat Trends Assessment Findings Control Systems Security Program Review Summary and Questions Hand over to Todd Stauffer – Siemens 5 .
which include: SCADA (Supervisory Control and Data Acquisition) DCS (Distributed Control System) PCS (Process Control System) EMS (Energy Management System) AS (Automation System) SIS (Safety Instrumented System) Any other automated control system 6 .Definition of a Control System The term “Industrial Control System” (ICS) refers to a broad set of control systems.
Control System Basics Sensors Control Valves Human Machine Interfaces (HMI) and Operator Displays Programmable Logic Controllers (PLC) Motor Controls I/O Meters Sensors Field Devices Remote PLC IED RTU Controller. Comms Protocols Ethernet Serial Wireless Master SCADA server HMI EMS DCS Field Devices Control Center 7 .
Evolution – Panel Based Controls Push Buttons Single Loop Controls Stand Alone No Networks No Communication From a cyber security standpoint this system is ‘isolated’ 8 .
Evolution – Legacy Equipment Proprietary Networks Proprietary OS No Ethernet No Intranet connections “Security by Obscurity” From a cyber security standpoint this system is ‘exploitable – but not a trivial task’ 9 .
Evolution – Modern Equipment Ethernet everywhere Wireless ‘in the rack’ Remote configuration Windows & Linux OS Commercial Off The Shelf (COTS) From a cyber security standpoint this system is ‘a huge challenge – readily exploitable’ 10 .
Control from your PDA Advancements will make accessing key systems very easy Applications running on known-to-be-vulnerable systems 11 .
Control via the Internet Systems are DIRECTLY connected to the Internet Some of these systems have very poor security: Lack of encryption methods (like VPN access) Sites use published vendor default passwords Sites using domain names that point to function like “SCADAforyourcity.com” Utilizing Internet search engines it is quite easy to find some of these sites… 12 .
Example HMI access from the web These screens actually have control of a city’s water pumping facility Real HMI screens pulled off the Internet HMI only required vendor default usernames to login 13 .
Control Systems Are Gaining Interest Currently. a cyber attack on Industrial Control Systems is one of the only ways to induce real-world physical actions from the virtual realm of the Internet This is leading to an increased level of interest in Industrial Control Systems by ‘black hat’ groups Due to the complex nature of network-based control systems. it becomes very hard to distinguish between normal operational nuances and an actual attack. 14 .
from multiple regions outside the United States. the disruption caused a power outage affecting multiple cities. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States.” – CIA Senior Analyst 15 . followed by extortion demands. and nation state cyber warfare – asymmetric warfare Interdependency of critical sectors can increase the overall appeal using cyber as an attack tool Internet increases availability of hacker tools along with information about infrastructures and control systems Emergence of a strong financial motive for cyber crime to exploit vulnerabilities “We have information. In at least one case.Risk Drivers: Threats International and domestic terrorism. of cyber intrusions into utilities.
Cyber Threat Trends Malicious Code High “Stealth”/Advanced Scanning Techniques Denial of Service Network Management Diagnostics Sweepers Back Doors Disabling Audits Morphing Intruder Knowledge Attack Sophistication Distributed Attack Tools Era of Modern Information BOTS Technology Zombies WWW Attacks Current SCADA Automated Probes/Scans Zone of Defense Packet Spoofing Era of Legacy Sniffers Control System Hijacking Sessions Exploiting Known Vulnerabilities Technology Password Cracking Self-Replicating Code Password Guessing Low 1980 1985 1990 1995 2000 2005 2010 Lipson. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues. F.. 16 . H. November 2002. page 10. Special Report CMS/SEI-2002-SR-009.
Types of Attackers Crackers Break into computers for profit or bragging rights Insiders Disrupt their corporate network. often for revenge Attackers May Utilize Each Others Resources… Terrorists Attack systems for cause or ideology Hostile Countries Attack enemy countries’ computers 17 . sometimes an accident.
2004 Sasser worm disabled oil platforms for 2 days by crawling through the network via HTTP and NetBios ports. Virus ‘fix’ erased licensing keys.Cyber Incidents Incident Plant shutdown from game installed from infected disk onto a PLC workstation. halting train service for 6 hours. 100’s of documented cases exist. 2003 SoBig virus affected rail dispatch and signaling systems. but details are often sketchy 18 .
Brown’s Ferry (TVA) August 19.2006 Not a cyber attack. but clearly shows impact of a cyber incident on NPP operations Variable Frequency Drives (VFD) on recirculation pumps became nonresponsive 19 .
Hatch NPP Introduction of SW caused SIS to initiate plant shutdown Connection from Corp to SCADA ensure a synchronization and reboot of all machines System behaved as it was supposed to …there was full two-way communication between certain computers on the plant's corporate and control networks. 20 .
Harrisburg. PA water facility 21 .
2 deny hacking into L.A.'s traffic light system
Two accused of hacking into L.A.'s traffic light system plead not guilty. They allegedly chose intersections they knew would cause major jams. By Sharon Bernstein and Andrew Blankstein, Times Staff Writers - January 9, 2007
Back in August, the union representing the city's traffic engineers vowed that on the day of their work action, "Los Angeles is not going to be a fun place to drive." City officials took the threat seriously. Fearful that the strikers could wreak havoc on the surface street system, they temporarily blocked all engineers from access to the computer that controls traffic signals. But officials now allege that two engineers, Kartik Patel and Gabriel Murillo, figured out how to hack in anyway. With a few clicks on a laptop computer, the pair — one a renowned traffic engineer profiled in the national media, the other a computer whiz who helped build the system — allegedly tied up traffic at four intersections for several days.
Los Angeles Times
Vendor Assessment Objectives
Control Systems Vendor Partnership Utilizing expertise at Control Systems Security Center (CSSC) Benefits: Identify specific cyber security vulnerabilities Mitigate vulnerability in partnership with vendors Deliver cyber security solutions to end users through patches and products
Assessments Joint findings from government sector agencies and company sponsored programs Assessments were both on-site and lab based Assessments typically consist of: Interviewing control system operators. and IT staff on configuration and use Touring the facility to see how things actually operate Doing a “table top” review of network and security (firewalls. scanning the network and carrying out penetration type testing in a non-threatening posture (bench test. secondary system) 25 . engineers.) In some cases. IDS/IPS. etc.
Assessment General Findings Default vendor accounts and passwords still in use Some systems hardcoded and unable to be changed! Guest accounts still available Unused software and services still on systems No security-level agreement with peer sites No security-level agreement with vendors Poor patch management (or patch programs) Extensive auto-logon capability Some findings can provide for attack vectors 26 .
) Shared passwords Web enabled critical field devices 27 . IDS.) This has been improving in the last 6 months Little emphasis on reviewing security logs (Change management) Control system use of enterprise services (DNS. etc. etc.Assessment General Findings continued Typical IT protections not widely used (firewalls.
Use of inadequately secured wireless communication for control These are not in any order of importance 28 .NERC Top 10 Vulnerabilities – 2007 As identified by the Control System Security Working Group 1. System administration mechanisms and software used in control systems are not adequately scrutinized or maintained 5. and culture that govern control system security 2. Remote access to the control system without appropriate access control 4. procedures. Inadequately designed control system networks that lack sufficient defense-in-depth mechanisms 3. Inadequate policies.
or implemented critical support infrastructure These are not in any order of importance 29 .NERC Top 10 Vulnerabilities continued 6. Use of a non-dedicated communications channel for command and control and/or inappropriate use of control system network bandwidth for non-control purposes 7. designed. Insufficient application of tools to detect and report on anomalous or inappropriate activity 8. Control systems command and control data not authenticated 10. Inadequately managed. Unauthorized or inappropriate applications or devices on control system networks 9.
S. Department of Homeland Security National Cyber Security Division Control Systems Security Program American Chemistry Council Chemical Sector Cyber Security Program 30 .Chemical Sector Awareness Video Developed in partnership between: U.
unusable Poor application coding practices Improper application and service privileges No anti-virus software 32 .Vulnerabilities of System in Video Clear text communications Network switch configuration flaws Dynamic ARP tables Poorly defined firewall policy IDS configured poorly.
Attack Process Demonstration Remote Hacker Sales Staff Management Inventory/ Planning PLC Internet Business/ Corporate Network Process Control Network Accounting Department Slave Database Master Database Operator Human Machine Interface 33 .
Common Perceptions IT’s View of Control Systems They do not comply or cooperate Their systems are not secure They are not in compliance with corporate standards They resist change Engineering sometimes viewed as future point of attack Control Systems View of IT They do not understand the constraints of operations They insist on measures that will adversely affect plant operations Engineers believe connecting the control system to the corporate LAN will increase the risk to operations To secure the entire network (process control and corporate). 34 . we need to work together. Realize the importance of each network and strive for security and reliability.
Defense-in-Depth Security 35 .
36 . Not A Product Work closely with vendors and integrators to ensure security is a priority. Get involved! Standards committees and working groups are looking for your input.Security Is A Process. Stay current on threats and vulnerabilities to control system environment.
private sector and international coordinating across government. private sector and international organizations to reduce the risk organizations to reduce the risk Build a culture of reliability.CSSP Mission and Objectives To strengthen the control system security posture by To strengthen the control system security posture by coordinating across government. security and resilience Demonstrate value Address cross sector security interdependencies Provide thought leadership 37 .
38 .S. and Waste • Postal and Shipping • Public Health and Healthcare • Telecommunications • Transportation • Water “Critical Manufacturing” was announced as the 18th sector in April 2008 Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system. Materials. critical infrastructure into the following 17 CIKR sectors • Agriculture and Food • Banking and Finance • Chemical • Commercial Facilities • Dams • Defense Industrial Base • Emergency Services • Energy • Government Facilities • Information Technology • National Monuments and Icons • Nuclear Reactors.18 Critical Infrastructure Sectors Homeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.
Cross Sector Interdependencies Control systems security is not sector specific Connectivity crosses geographic boundaries Sectors are not operationally isolated 39 .
Vulnerability Analysis Information Sharing Control System Vulnerability reports may be submitted via US-CERT Web Site and entered into National Vulnerability Database (NVD) CSSP Web site ‘Vulnerability Notes’ 14 vulnerability Notes published between May 2006 – February 2008 Vulnerabilities patched by vendors CSSC analysis shared across all sectors through products and trainings PCII is an information-protection tool that facilitates private sector information sharing with the government 40 .
Scenario Development Advance Vulnerability Discovery Identifying cyber attacks capable of achieving physical damage Combining cyber vulnerabilities with specific tactics. techniques & procedures to achieve maximum consequence Requires industry experience to identify control system risks 41 .
Briefings & Training Web Based Training Cyber Security for Control Systems Engineers & Operators OPSEC for Control Systems Instructor Led Courses Cyber Security Who Needs It? Control Systems Security for Managers Solutions for Process Control Security Introduction to Control Systems Security For the IT Professional Intermediate Control Systems Security Cyber Security Advanced Training and Workshop 42 .
DOD 8500.g. NERC CIP.2) Availability: To industry through licensed distributors (fee based) To federal government through DHS (free) 43 .Risk Reduction Products Self-Assessment Tool – CS2SAT Based on industry standards Capability: Creates baseline security posture Provides recommended solutions to improve security posture Standards specific reports (e.
Risk Reduction Products Cyber Security Procurement Language for Control Systems Building Security into Control Systems Provides sample or recommended language for control systems security requirements – – – New SCADA / control systems Legacy systems Maintenance contracts 44 .
Risk Reduction Products Catalog of Control Systems Security: Recommendations for Standards Developers Supporting Standards Development Provide guidance for cyber security requirements specific to control systems Enable a common security language across all industry sectors (harmonization of standards) Support standards bodies and industry associations to implement sound security practices in current standards 45 .
Develop Partnerships – Industry Control System Cyber Security Vendor’s Forum 46 .
academia. & deployment of more secure control & legacy systems Participants include national & international stakeholders from government.pcsforum. industry users. owner/operators. 2008 LaJolla CA 47 . & the vendor community For more information: www. systems integrators.org August 25-28.Develop Partnerships – Public Process Control Systems Forum (PCSF) Mission: To accelerate the design. development.
gov/control_systems or email: CSSP@dhs.us-cert.gov Contact information: National Cyber Security Division Seán P.McGurk@dhs. Director – Control Systems Security Program Sean.gov Learn more about CSSP at www.gov. McGurk. 703-235-5110.us-cert. or 888-282-0870 Sign up for cyber alerts at www.gov. email@example.com 48 .Cyber Security is a Shared Responsibility Report cyber incidents & vulnerabilities at www.us-cert.
Bio for Todd Stauffer. Siemens PCS 7 Marketing Manager SE&A Liaison to PCSF (Process Control Security Forum) Vendor Forum Leading Security Assessment of PCS 7 by the Department of Homeland Security at the Idaho National Laboratory Siemens Marketing Representative to the ISA Security Compliance Institute (ISCI) page 49 .
water & wastewater…) . electric utilities. chemical.DHS Control System Security Center Cyber Security Assessment of PCS 7 PCS 7 is being assessed for cyber vulnerabilities at the Control System Security Center.Mission is assessment of control systems to identify vulnerabilities that could put critical infrastructures at risk from a cyber attack .Helps industry and government improve the security of the control systems used in US critical infrastructure .(e.g. mitigation strategies are developed to enhance control system security Significant investment by both DHS and Siemens page 50 . Part of: Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Control Systems Security Program (CSSP) The CSSP: .Once vulnerabilities are identified. oil & gas.
Motivation . Aurora) Help us enhance the security posture of PCS 7 control systems Knowledge transfer for members of PCS 7 Security Lab Expand DHS / INL body of knowledge for protecting control systems that control US Critical Infrastructure Help our customers comply with new government regulations (eg. DHS’s Chemical Facility Antiterrorism standard) No official recognized body for certification at this time (ISCI will help change this) page 51 .Why would Siemens ask DHS to perform a security assessment on PCS 7 ? Validate & Improve PCS 7 Security Concept Leverage CSSP’s unique skillsets (eg.
Siemens has a team within System Test that is dedicated to Industrial Security – PCS 7 Security Lab SIMATIC PCS 7/ WinCC security test system Tests MS security patches for compatibility Test Virus Scanner releases Definition / Testing of Approved Architectures Wrote PCS 7 Security Recommendations Document Ensures fast response to new security threats Performs intense Forefront testing to proactively identify vulnerabilities and minimize risks (results are fedback to R&D) Security Lab involvement in CSSP testing helps improve knowledge of attacker methods page 52 .
ISASecure ISASecure ..just like “TUV” is for Safety. Safer More Reliable Intrinsically Secure • To create a single recognizable body for Security Compliance ..ISA Security Compliance Institute (ISCI) • Goal: Establish a collaborative industrywide program that improves the security of our Nation’s Critical Infrastructure by providing a Control Environment that is….
Test Architecture was derived based on what is described in the PCS 7 Security Manual 3rd Party OPC Connection OS Web Client Remote Support PC DMZ VPN Tunnel SCALANCE S Windows ISA Firewall OS Server ES SCALANCE S Safety System (SIS) page 54 BPCS .
Targets of Evaluation (TOE) were selected to stress key parts of the system and to leverage CSSP’s expertise Specific targets have been selected which are key functions of PCS 7 Test Plan Objectives cover steps that might be potential goals of a real attacker in order to exploit the control system and cause damage to equipment. or users TOE Priority Number 1 2 3 4 5 6 7 TOE Description Assess Vulnerabilities in DMZ Servers Unauthorized Access to the Engineering Station Unauthorized Access to Operators Workstation Assess VPN Communications Security Perform Protocol Fuzzing to Find Vulnerabilities Unauthorized Configuration Database Access Unauthorized Access to the Administrative Server page 55 . service.
and Certification Authority Servers) Gaining Control of a Server inside the DMZ is a stepping stone for getting into the Control System page 56 . Virus Scan.TOE 1: Assess Vulnerability of DMZ Servers – Goal is for attacker to gain control of a server inside the DMZ Servers in the DMZ Central Archive Server (CAS) OS Web Server OpenPCS7 Server Infrastructure Server (includes WSUS.
TOE 2: Unauthorized Access to the Engineering Station – Goal is for attacker to gain interactive login to PCS 7 ES The ES is used for development. maintenance and troubleshooting of the Basic page 57 Process Control System (BPCS) and for the Process Safety System (SIS). .
TOE 5: Perform Protocol Fuzzing to Find Vulnerabilities – Goal is to cause a communication disruption / overload Communication Paths TUV certified Safety System Communication Controller-toController Plant Bus Terminal Bus Creating a Communication Overload Scenario is a common hacker method for page 58 attempting to take down a control system .
TOE 6: Unauthorized Configuration Database Access – Goal is to modify configuration from the PCS 7 ES Objectives Infiltrate PCS 7 ES and modify configuration Access / modify control system configuration without being detected Compromise controller configurations in BPCS (AS6) and SIS (AS4 – AS5) ES Hacker modifying a controller configuration would be a significant security breach page 59 .
Timeline for CSSP’s Security Testing of PCS 7 March (2008) – Face to-face Planning Meeting in KHE April / May – Procure Hardware and Stage test system May – Ship Test System from Germany to Idaho Falls June – Setup Test System at Idaho Falls July 1st – Begin Testing September 15th – Complete Testing Mid Sept – Mid Nov – Review & Document results November 15th – Deliver Final report to Siemens May 15th (2009) – Siemens After Action Report Due page 60 .
CRC checking .Lessons Learned We should make it easier for users to setup their system per the recommendations in the security manual PCS 7 Product documentation is inconsistent in places (Security Manual should override) Engineering System has the keys to the kingdom – Protect it ! Integrated Safety System has extra security features .Controller Switch prevents unplanned downloads Establishing and following a workflow process (including Change Management) is important page 61 .Passwords .
Q&A Thanks for Attending ! page 62 .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.